innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."

Kim Dotcom's new "Mega" cloud service appears to be a hit. According to Dotcom over 1 million have signed up for their free 50 gigabytes of storage. Although that is about 1% of the Dropbox user base, it's not a bad start. From the article: "Mega quickly jumped up to around 100,000 users within an hour or so of the site's official launch. A few hours after that, Mega had ballooned up to approximately a quarter of a million users. Demand was great enough to knock Mega offline for a number of users attempting to either connect up or sign up for new accounts, and Mega's availability remains spotty as of this articles' writing."

An anonymous reader writes "NewScientist reports, 'Along with birthdays, names of pets and ascending number sequences, add one more thing to the list of password no-nos: good grammar.' Researchers from Carnegie Mellon University seem to have developed a password cracking algorithm that targets grammatically correct passwords. Can bad grammar really make your password secure?"

hypnosec writes "How long does a bug take to get resolved? A week? A month? A year? Well, a bug prevalent in the KDE libraries since 2002 has finally been resolved after a decade it has been revealed. The bug was present in the "Reject Cross-Domain Cookies" feature of KDE Libraries. Thiago Macieira noted in the KDE Libraries Revision 974b14b8 that he observed that his web cookies were being forgotten following a kded restart."

An anonymous reader writes "After months of hype riding the coattails of the MegaUpload controversy, Kim Dotcom's new cloud storage site, Mega, is finally going live. After being available to early adopters briefly, it's now open to the public with 50GB of free storage and end-to-end encryption. Several outlets have posted early hands-on reports for the service, including Ars Technica and The Next Web. In an interview, Dotcom spoke about how Mega's encryption scheme benefits both the users and the company: 'The Mega business plan will be a distributed model, with hundreds of companies large and small, around the world, hosting files. A hosting company can be huge or it can own just two or three servers Dotcom says—just as long as it's located outside the U.S. "Each file will be kept with at least two different hosters, [in] at least two different locations," said Dotcom. "That's a great added benefit for us because you can work with the smallest, most unreliable [hosting] companies. It doesn't matter because they can't do anything with that data." More than 1000 hosts answered a request for expressions of interest on the Mega home page. Dotcom says several hundred will be active partners within months.' On top of that, the way it's designed will protect Mega from legal problems: 'It's all about the plausible deniability. Mega doesn't know what you're uploading. ... Mega isn't so much securing your files for you as it is securing itself from your files. If Mega just takes down all the DMCAed links, it will have a 100 percent copyrighted material takedown record as far as its own knowledge is concerned. It literally can't know about cases that aren't actively pointed out to it, complete with file decryption keys.'"

dstates writes "The Department of Health and Human Services has released newly revised rules for the Health Information Privacy and Accountability Act (HIPAA) to ensure patient access to electronic copies of their electronic medical records. Several years ago, there was a great deal of excitement about personalized health information management (e.g. Microsoft HealthVault and Google Health). Unfortunately, patients found it difficult to obtain their medical records from providers in formats that could easily be imported. Personalized health records were time consuming and difficult to maintain, so these initiatives have not lived up to their expectations (e.g. Google Health has been discontinued). The new rules should address this directly and hopefully will revitalize interest in personal health information management. The new HIPAA rules also greatly strengthen patient privacy, the ability of patients to control who sees their medical information, and increases the penalties for leaking medical records information. 'Much has changed in health care since HIPAA was enacted over fifteen years ago,' said HHS Secretary Kathleen Sebelius. 'The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age.'"

Trailrunner7 writes "Up to a million Android users in China could be part of a large mobile botnet, according to research unveiled by Kingsoft Security, a Hong Kong-based security company, this week. The botnet has spread across phones running the Android operating system via Android.Troj.mdk, a Trojan that researchers said exists in upwards of 7,000 applications available from non-Google app marketplaces, including the popular Temple Run and Fishing Joy games." Update: 01/19 12:54 GMT by S : Changed summary to reflect that these apps didn't come from Google Play.

An anonymous reader writes "Google on Friday announced yet another security improvement for Chrome 25. In addition to killing silent extension installation, the omnibox in Google's browser will send all searches over a Secure Sockets Layer (SSL) connection. Chrome already does this for users who are signed in to Google: when they search from the address bar, their queries are sent over HTTPS. As of Chrome 25, however, the same will happen for users who aren't signed in to Google."

msm1267 writes "Oracle's long security nightmare with Java just gets worse. A post to Full Disclosure this morning from a security researcher indicated that two new sandbox bypass vulnerabilities have been discovered and reported to Oracle, along with working exploit code. Oracle released Java 7u11 last Sunday and said it fixed a pair of vulnerabilities being exploited by all the major exploit kits. Turns out one of those two bugs wasn't completely patched. Today's bugs are apparently not related to the previous security issues."

An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"

An anonymous reader writes "Dozens of volunteers who anonymously donated their genomic data to a public database for medical research have been identified by a team led by Yaniv Erlich, a former computer security researcher turned geneticist. Erlich's team matched Y chromosomal markers in genomes compiled by the 1000 Genomes Project with non-anonymous genomic databases, for example some assembled from contributions by family tree enthusiasts (abstract). After finding a match on a presumed relative of the study participant, the researchers pieced together the relative's family tree through search engines and the like, until they were able to identify the participant based on gender, age, place of birth, and other supposedly 'non-identifying' information associated with the genome. The names of the identified participants have not been released."

McGruber writes "The Transportation Security Administration (TSA) has ended a contract with Rapiscan, a unit of OSI Systems Inc., manufacturer of about half of all of the controversial full-body scanners used on air passengers. TSA officials claim that Rapiscan failed to deliver software that would protect the privacy of passengers, but the contract termination happened immediately after the TSA finally got around to studying the health effects of the scanners, and Congress had a hearing on TSA's 'Scanner Shuffle'."

redletterdave writes "For the second time in a row, Microsoft's Security Essentials failed to earn certification from AV-Test, the independent German testing lab best known for evaluating the effectiveness of antivirus software. Out of 25 different security programs tested by AV-Test, including software from McAfee, Norman, Kaspersky, and others, Microsoft's Security Essentials was just one out of three that failed to gain certification. These results are noteworthy because Microsoft Security Essentials is currently (as of December) the most popular security suite in North America and the world."

Qedward writes with this except from Computerworld UK: "Germany should change a law to enable public administrations to make their software available as free and open source, a German parliamentary committee has advised. German public administrations currently are not allowed to give away goods, including software, said Jimmy Schulz, a member of Parliament and chairman of the Interoperability, Standards and Free Software Project Group. The current law prohibits governments from being part of the development process in the free software community, he said. 'This is a clear disadvantage because it cuts off all benefits obtained from free software, such as being cost-efficient and state-of-the-art,' he said. Besides a recommendation that the government should explore whether the law can be changed for software, the group also called for the use of open standards in order to make sure that everybody can have access to important information, Schulz said. 'We also called for public administrations in general to make sure that new software is created as platform independent as possible,' he added. While the project group is not in favour of giving priority to one type of software over another, it said in its recommendation to the Parliament earlier this week that free and open source software could be a viable alternative to proprietary software." I think a fair rule is that, barring extraordinary and demonstrated need, all tax dollars for software should go only for the development of software for which source is available gratis to all taxpayers, and that secret-source software makers are free to change to fit this requirement any time they'd like to have their software considered for a bid.

Rikki Endsley has been Community Manager for USENIX since September, 2011. She also edits their magazine, ;login:, writes for publications ranging from Linux.com to Network World, and is a long-distance runner to boot. But this interview concentrates on USENIX, a worthy organization that does a great job of helping its members (and the entire Unix/Linux community) stay up to date technically and, with its job board, keep USENIX members employed. Toward the end of the conversation, Rikki mentions some of the intangible but valuable benefits people get when they attend USENIX events. (Remember: If you don't have time to watch the video, can't see the video or just don't like video, you can click on the "Show/Hide Transcript" link and read a text version of the video.)

kthreadd writes "The Red Hat Enterprise Linux 5 derivative CentOS version 5.9 has been released just 10 days after its upstream provider. According to the release notes a number of changes have been made. New packages available in CentOS 5.9 includes for example OpenJDK 7 and Rsyslog 5. Several drivers have also been updated in the kernel which has been updated to version 2.6.18-348, including support for Microsoft's virtualization environment Hyper-V." CentOS has been plugging away now for nearly 10 years.

mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."

chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."

tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."

New submitter kju writes "The security blog of Verizon has the story of an investigation into unauthorized VPN access from China which led to unexpected findings. Investigators found invoices from a Chinese contractor who had actually done the work of the employee, who spent the day watching cat videos and visiting eBay and Facebook. The man had Fedexed his RSA token to the contractor and paid only about 1/5th of his income for the contracting service. Because he provided clean code on time, he was noted in his performance reviews to be the best programmer in the building. According to the article, the man had similar scams running with other companies."